Disabling Mod security for a domain

Mod_security is an open source Apache module. This can be considered as firewall for web applications. It secures the system from the attackers. We use mod_security1 for Apache1.x and Apache 2.x uses mod_security2. In case of mod_security1, we can disable it for a domain using the .htaccess file.

If you want to disable mod_sec for one domain then add the following Line in .htaccess

SecFilterEngine Off

However, we can’t block mod_security2 via .htaccess on domain basis.

The following steps can be used to disable mod_security2 rule for one domain in cPanel servers.

1. Make the directory “/usr/local/apache/conf/userdata/std/2/username/domain.com”

2. Create a file “vhost.conf” in the above location

3. Add the following lines :

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

To disable mod_secuirty for a particular location :

<LocationMatch specify_the_path_here>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>

To disable a particular mod_secuirty rule :

<IfModule mod_security2.c>
SecRuleRemoveById give_ruleID_here
</IfModule>

Please make sure run the following script after making the changes.

/scripts/ensure_vhost_includes --user=username

This script will uncomment the following line in apache configuration. It will customise the virtual host to use the particular include file and will restart apache.

Include "/usr/local/apache/conf/userdata/std/2/username/domain.com/*.conf"